8 Cloud Security Concepts You Should Know

This article describes key cloud concepts and deployment models you should know plus introduces you to fried beer! Yum!

Cloud security isn't that hard. It's really just traditional security concerns in a distributed and multi tenant environment. The challenge for most organizations is getting past the hype of what a cloud is.

I love a good buzzword as much as the next guy, but the term Cloud has gotten a bit out of control in the hype department. Marketing people are working overtime slapping a fresh coat of "cloud paint" on anything that doesn't get up and runaway.  We now have so many acronyms for cloud services that we have to result to using a variable (XaaS) or an * (*aaS) to categorize them.  After reading about the chef in Texas unleashing the horror of fried beer upon the world, which appears to be an unholy union between deep fried pretzel dough and beer that somehow allows the alcohol to retain its potency through the cooking process, I think we can safely add Coronary as a Service (CaaS) to that list as well.

For the most part cloud service can be divided into three main categories that are differentiated by your level of control and access to the mechanics of the system and applications themselves. Service level agreements are often the primary vehicle for ensuring security services and availability, but the ultimate responsible party for security is still the organization that actually owns the data. While a Service level agreement can help to provide financial recourse it cannot be used as a shield to transfer risk. You simply can't outsource accountability making security in the cloud a hot topic for many organizations.

A typical cloud service is usually offered in one of three ways and represent how much responsibility your organization has for the care and feeding of the service versus the provider and the level of transparency into the system you are allowed access to. The three types are:

• IaaS- Infrastructure as a Service is the highest level of control afforded to customers for cloud services. You build the virtual machines and deploy them on the cloud service providers network and all security concerns are yours to address. The IaaS provider will typically provide storage, compute, power, cooling, and network connectivity but beyond that the rest of the security equation is up to you. Examples: Amazon EC2

• PaaS-Platform as a Service utilizes a programming model to allow an organization to code applications that ride on a development framework. These platforms expose APIs to the developer and abstract the database services and computing platforms to aid in rapid development of web enabled services. Core security is usually handled by the PaaS provider, and offered as modules that programmers can hook into and use in their applications. The applications themselves must follow secure coding practices and are not something the provider is responsible for ensuring. Examples: Cisco Webex Connect, Amazon Web Services, Force.com

• SaaS-Software as a Service is the most common cloud offering and allows a user to purchase seats for an application that is hosted, maintained, and administered from the web. This cloud model offers limited visibility into the security process of the service provider. SLAs are pretty much all you will have to enforce your own security requirements. A reputable SaaS provider can often provide a stronger security posture for an organization that does not have the budget or the manpower to implement strong security. Bottom line is you are still the one that must protect your data through access control and secure administration. Cisco Webex, Salesforce, ect

There are also five main architectural deployment methods for organizations implementing cloud services. Most people use the NIST definitions for Cloud architectures with the addition of Virtual Private Cloud. The following represent these common deployment methods for cloud services.

• Virtual Private cloud- This type of deployment utilizes VPN technology to create a secure pipe into the cloud providers network to dedicated computing resources. This allows a company to use cloud services to augment local resources without having to worry about operating in a completely shared environment.

• Community Cloud- A community cloud is a consortium of organizations with similar service requirements or policies that join together to benefit from a common infrastructure. Examples: Group of schools, Government entities, ect

• Public Cloud-Cloud services offered to the public for a fee by a cloud service provider. Example: Google Apps, Amazon, Microsoft Azure, ect

• Hybrid Cloud-A hybrid cloud model uses any combination of public, private, community or virtual private clouds with a mixture of internal application and services as either a mechanism to increase capacity on demand or to move less sensitive applications to cloud services.

• Private cloud- A Private cloud deployment is the migration of existing data centers to virtualized environments that enable elastic computing capabilities as an internally provided and supported service. This model often gives the highest level of control from a security perspective.

Regardless of the type of cloud service you utilize the fundamentals of security are still the same. You still need to protect your data, authenticate and authorize your users, and monitor and audit access.  The challenges come form some of the unique aspects of cloud services, like multi-tenancy and new attack vectors that shared technology platforms open up.

Understanding what cloud is and how it can be used and protected is one of the reasons the Cloud Security Alliance was formed. The CSA is a community effort to develop security controls, processes, and measurements to ensure that security is properly implemented and addressed. I highly encourage you to checkout the CSA website and read the current research on cloud threats and auditing practices to learn more about how best to protect your data as you move it into the cloud. They even offer a certification to show off your cloud security skillz.

http://www.cloudsecurityalliance.org/

• Security
• auditing
• cloud security
• Cloud Security Alliance
• security